Adversarial Data Infrastructure for the LLM Era

AI+Security
Dataset Matrix

Building adversarial training data infrastructure for Security LLMs. Covering SQL Injection, XSS, RCE, Buffer Overflow, Path Traversal, Comprehensive Threat Detection and 8 major security datasets, with five-tuple structured annotation and full MITRE ATT&CK mapping.

security-llm@langhui:~$
# Load Langhui security datasets to train Security LLM
$ python train_security_llm.py --dataset langhuiai/security-suite
[INFO] Loading 8 datasets...
[INFO] ATT&CK techniques covered: 200+
[INFO] Five-tuple structured samples: 153,000+
[TRAIN] Epoch 1/10 | Loss: 0.342 | Acc: 99.5%
$
8
Security Dataset Matrix
6 Live2 Coming Soon
153K+
Five-Tuple Structured Samples
PCAP+HTTPXML Rules
200+
ATT&CK Technique Coverage
14 TacticsT1190
99.5%
Annotation Accuracy
AI Pre-AnnotationExpert Review
Scroll Down
Frontier Security Trends

Latest Advances in AI+Security

Generative AI is both an attack weapon and a defense revolution. From LLM-driven automated vulnerability discovery to the rise of Security LLMs, from adversarial machine learning to AI red teaming, AI is reshaping the cybersecurity landscape.

Security LLM 2026

Security LLM: The Rise of Specialized Security Large Models

Microsoft Security Copilot, Google Sec-PaLM, Palo Alto Cortex XSIAM and other specialized security large models have successively launched. Based on GPT-4/Claude architectures, they match or exceed human expert levels in threat intelligence, SOC alert triage, and attack chain reasoning. In the Security LLM era, high-quality adversarial data becomes the core barrier.

Threat Intel Alert Triage Attack Chain Reasoning
APT Detection 95%+

Deep Learning APT Detection Accuracy Breaks 95%

Transformer and GNN-based APT attack detection systems achieve over 95% accuracy on public benchmarks like DARPA TC and CIC-APT, significantly surpassing traditional rule engines. Multi-stage attack chain recognition, TTP reasoning, and anomaly behavior baseline modeling have become research hotspots, urgently requiring large-scale high-quality APT samples.

APT Detection Accuracy 95%+
AI Red Team Adversarial

LLM Red Teaming and Adversarial Machine Learning

OpenAI, Anthropic, and Google DeepMind have established professional AI red teams to conduct adversarial testing on Prompt Injection, Jailbreak, Data Poisoning, Model Extraction and other attacks. NIST AI RMF and OWASP LLM Top 10 list adversarial machine learning as a core AI security issue.

Prompt Injection Jailbreak Data Poisoning
AI Attacks 300%↑

Generative AI Increases Phishing Attack Success Rate by 300%

FBI/IC3 annual reports show that generative AI has increased phishing email success rates by 300%, with Deepfake voice scams causing over $500 million in losses. Black-market LLMs like WormGPT and FraudGPT circulate on the dark web, and AI-driven automated vulnerability discovery and adaptive attack orchestration are reshaping the threat landscape.

AI Phishing Deepfake Black-Market LLM
MITRE ATT&CK 80%+

MITRE ATT&CK Becomes the Core Framework for Threat Hunting

The MITRE ATT&CK framework has been adopted by over 80% of SOC teams worldwide, covering 14 tactics and 200+ techniques. Tools like ATT&CK Navigator, ATT&CK Eval, and CTRAC drive the industrialization of ATT&CK. Security LLMs must deeply understand ATT&CK to perform effective TTP reasoning and threat hunting.

14 Tactics 200+ Techniques Threat Hunting
Market Trend $215B

AI Cybersecurity Market to Exceed $215 Billion by 2030

Gartner predicts the AI-driven cybersecurity market will exceed $215 billion by 2030, with a compound annual growth rate of 22.8%. Security operations automation, AI threat intelligence, and zero-trust AI will become the three core tracks. High-quality adversarial data is the core strategic resource for AI security.

SecOps Threat Intel Zero Trust
Langhui Tech Security Dataset Matrix

8 Major Security Datasets, Building a Complete Security LLM Training Loop

From web attacks to system vulnerabilities, from single-point detection to comprehensive threats, from ATT&CK training to detection capability gaps. Five-tuple structured annotation with full MITRE ATT&CK framework mapping.

LIVE CRITICAL

SQL Injection Detection Rule Dataset

1,000~30,000 five-tuple entries, covering 7 subtypes including union query, blind injection, error-based, and time-based injection. Supports MySQL/PostgreSQL/MSSQL/Oracle databases. ATT&CK T1190 mapped, includes XML detection rules + PCAP traffic + HTTP reconstructed text + ground truth labels.

30K
Max Samples
7
Injection Subtypes
T1190
ATT&CK
WAF Rule Generation SQLi Detection SOAR
View Details
LIVE HIGH

XSS Cross-Site Scripting Detection Rule Dataset

1,000~30,000 five-tuple entries, covering 5 subtypes: reflected, stored, DOM-based, mXSS, etc. Includes bypass technique annotations (encoding bypass, case mixing, tag splitting, event mutation). ATT&CK T1189 mapped, covers HTML/JS/CSS/URL multiple contexts.

30K
Max Samples
5
XSS Subtypes
T1189
ATT&CK
WAF Rules Frontend Security CSP Generation
View Details
LIVE CRITICAL

RCE Remote Code Execution Detection Rule Dataset

800~20,000 five-tuple entries, covering 5 RCE types including command injection, deserialization, and SSTI. Includes Java/PHP/Python deserialization Gadget Chain data, supporting full-chain detection with ysoserial. ATT&CK T1059/T1203 mapped, covers command injection → privilege escalation → persistence → lateral movement complete attack chain.

20K
Max Samples
5
RCE Types
T1059
ATT&CK
Code Audit Deserialization APT Chain Detection
View Details
LIVE CRITICAL

Buffer Overflow Detection Rule Dataset (BOF)

500~10,000 five-tuple entries, covering 4 system-level vulnerability types: stack overflow, heap overflow, format string, and integer overflow. ATT&CK T1203 mapped, designed for binary security AI training, includes the complete loop from rule definition to validation evaluation, supporting CGC training corpus generation.

10K
Max Samples
4
Overflow Types
T1203
ATT&CK
Binary Vulnerabilities Fuzzing Code Audit
View Details
LIVE HIGH

Path Traversal Detection Rule Dataset

800~20,000 five-tuple entries, covering 4 attack types: directory traversal, LFI, RFI, and path normalization bypass. Includes rich encoding bypass payloads (URL/Double/Unicode/UTF-8 overlong/null byte/path truncation). ATT&CK T1083/T1005 mapped.

20K
Max Samples
4
Attack Types
T1083
ATT&CK
WAF Rules File Access AI Penetration Testing
View Details
LIVE CRITICAL

Comprehensive Threat Detection Rule Dataset

2,000~50,000 multi-type threat five-tuple entries, covering 6 categories: Web/Network/Host/Cloud/API/0day. Complete ATT&CK mapping + kill chain stage annotation. Serves as the complete corpus foundation for Security LLM pre-training, enabling "One Model for All Threats."

50K
Max Samples
6
Threat Categories
Full Map
ATT&CK
Security LLM XDR Threat Hunting
View Details
SOON TRAINING

MITRE ATT&CK Security Skill Training Dataset

1,000~20,000 ATT&CK offensive/defensive skill training entries, covering all 14 tactics and 200+ techniques. Each entry includes ATT&CK technique metadata, attack description, detection method, mitigation measures, process examples, and PCAP correlation. Dedicated corpus for Security LLM pre-training/SFT, covering the full scenario from knowledge injection to practical training.

20K
Max Samples
14
ATT&CK Tactics
200+
Technique Coverage
SFT Training TTP Reasoning SOC Automation
View Details
SOON GAP

ATT&CK Detection Gap and TTP Reasoning Dataset

500~1,500 high-value detection gap analysis + TTP reasoning chains with log data source mapping. Covers the complete pipeline from gap identification to rule generation, with five-tuple correlation structure. Dedicated for detection engineering automation training, supporting intelligent SIEM rule generation and red-blue team simulation.

1.5K
Max Samples
TTP
Reasoning Chain
SIEM
Rule Generation
Detection Engineering SIEM Rules Red-Blue Team
View Details
Five-Tuple Structured Annotation

Unified Five-Tuple Correlation Structure

All security datasets adopt a unified five-tuple (actually six-tuple) correlation structure, covering the complete loop from rule definition to traffic validation, providing a structured training foundation for Security LLMs.

Tuple 1

Rule Identifier

Unique rule ID, ATT&CK technique ID mapping, attack category, severity level, CVE correlation and other metadata identifiers

Tuple 2

XML Detection Rule

Structured XML format detection rule definition, including regex features, match conditions, and action types, directly consumable by WAF/IDS/SIEM

Tuple 3

Attack Payload

Real attack payload samples, including bypass techniques, encoding variants, Gadget Chains, etc., covering mainstream attack methods and variants

Tuple 4

HTTP Reconstructed Text

Complete HTTP request/response reconstructed text, including Header, Body, Cookie, URL and all fields, easy for NLP models to understand

Tuple 5

PCAP Traffic

Raw PCAP capture data, preserving complete network layer information (TCP/IP, TLS handshake, timing, etc.), supporting traffic analysis model training

Tuple 6

Ground Truth Label

Standard answers annotated by human experts (attack/normal, type, severity), used for model SFT/RLHF training and evaluation

MITRE ATT&CK Coverage Matrix

Full Coverage of 14 Tactics and 200+ Techniques

Langhui security datasets comprehensively map the MITRE ATT&CK framework, covering the complete attack kill chain from initial access to impact. Green cells indicate covered technique areas.

TA0043
Reconnaissance
TA0042
Resource Development
TA0001
Initial Access
TA0002
Execution
TA0003
Persistence
TA0004
Privilege Escalation
TA0005
Defense Evasion
TA0006
Credential Access
TA0007
Discovery
TA0008
Lateral Movement
TA0009
Collection
TA0011
Command & Control
TA0010
Exfiltration
TA0040
Impact
T1190
SQL Injection
T1189
XSS
T1059
RCE
T1203
Buffer Overflow
T1083
Path Traversal
T1005
Data Collection
Covered Tactics/Techniques Not Covered Total coverage of 14 tactics and 200+ techniques
Five-Tuple Data Sample

Structured Security Data Format Preview

Each entry uses a five-tuple structured format, with comprehensive annotation from ATT&CK metadata to PCAP traffic.

sqli-five-tuple.json
{
  "rule_id": "SQLI-2026-UNION-0001",
  "attack_type": "SQL Injection",
  "sub_type": "Union-based",
  "mitre_attack": "T1190",
  "severity": "CRITICAL",
  "xml_rule": "UNION.+SELECT",
  "payload": "1' UNION SELECT username,password FROM users--",
  "http_request": "GET /login?id=1'%20UNION%20SELECT...",
  "pcap_ref": "pcap/sqli-union-0001.pcap",
  "label": "malicious",
  "db_type": "MySQL"
}
Application Scenarios

Empowering AI Security Across All Scenarios

From WAF rule generation to Security LLM training, from SOC automation to red-blue team exercises, Langhui security datasets cover every critical aspect of AI security.

Security LLM Pre-training and SFT

The comprehensive threat detection dataset serves as the complete corpus foundation for Security LLMs, covering 6 categories: Web/Network/Host/Cloud/API/0day, enabling "One Model for All Threats." Combined with the ATT&CK training dataset for SFT, it injects TTP reasoning capabilities.

Intelligent WAF Rule Generation

XML detection rules from SQL injection/XSS/RCE/path traversal datasets can be directly consumed by WAF. Train LLMs to automatically generate detection rules for new attacks, increasing coverage by 40%+ and reducing false positives by 60%+.

SOC Automation and Alert Triage

Train SOC AI analysts using ATT&CK-based multi-attack mixed datasets for automated alert triage, threat hunting, and attack chain reasoning. Detection gap datasets help identify SIEM blind spots and intelligently generate complementary rules.

Red-Blue Team Simulation

ATT&CK training datasets support red team TTP simulation and blue team detection validation, automatically generating attack playbooks and detection rules. Detection gap datasets accurately identify defensive blind spots and quantify red-blue team coverage.

Code Security Audit AI

RCE/buffer overflow datasets train code audit models to automatically identify deserialization Gadget Chains, stack overflows, format string vulnerabilities, and more, supporting Java/PHP/Python/C/C++ multi-language code.

Threat Intelligence and TTP Reasoning

ATT&CK training datasets give LLMs deep understanding of TTPs (Tactics/Techniques/Procedures), enabling reasoning from a single alert to a complete attack chain, correlating threat intelligence, and predicting attacker's next moves.

FAQ

About AI+Security Datasets

What's the difference between the five-tuple structure and traditional security datasets?
The five-tuple structure (Rule Identifier + XML Detection Rule + Attack Payload + HTTP Reconstructed Text + PCAP Traffic + Ground Truth Label) is a security data annotation paradigm pioneered by Langhui, covering the complete loop from rule definition to traffic validation. Traditional datasets typically only provide payloads or logs, while the five-tuple structure enables Security LLMs to simultaneously learn rule generation, payload identification, traffic analysis, attack classification and other multi-dimensional capabilities, significantly improving training effectiveness.
How do the datasets ensure alignment quality with MITRE ATT&CK?
All datasets are annotated by security experts holding OSCP/CISSP/CEH certifications, with each entry mapped to specific ATT&CK technique IDs (e.g., T1190/T1189/T1059). We employ a triple-review mechanism: AI pre-annotation → expert review → ATT&CK consistency check, ensuring a mapping accuracy of 99.5%+. The comprehensive threat detection dataset covers all 14 tactics and 200+ techniques.
Does the PCAP traffic data contain real attack traffic?
PCAP traffic data is generated by professional red team operators launching real attacks in isolated range environments, preserving complete TCP/IP, TLS handshake, timing, and other network layer information. All traffic is desensitized (real IP/domain names removed) to ensure compliance and usability. HTTP reconstructed text is also provided for direct NLP model consumption.
Do you support customized attack scenario data?
Yes. Langhui Tech can customize attack datasets for specific customer business scenarios (such as finance, government, healthcare, industrial internet), including specific framework vulnerabilities (Spring/Struts/Shiro, etc.), specific cloud environments (AWS/Alibaba Cloud/Huawei Cloud), and specific ATT&CK tactic coverage. Please contact 137-5502-0164 for customized solutions.
How is dataset licensing and compliance ensured?
All attack data is generated in authorized range environments without involving any real production systems. Payload samples are desensitized and de-identified, and PCAP traffic has real IP/domain/MAC and other sensitive information removed. Langhui Tech provides complete authorization documents and compliance statements, complying with the Cybersecurity Law, Data Security Law, and Personal Information Protection Law requirements.
Start Your AI Security Data Journey

Let Adversarial Data Drive the
Next-Generation Security LLM

The DataAssetsAPI platform by Changsha Langhui Information Technology Co., Ltd. is dedicated to providing security teams and AI enterprises with high-quality, compliant adversarial data infrastructure. From SQL injection to comprehensive threats, from ATT&CK training to detection capability gaps, we build a complete Security LLM training loop.

Data Sample Preview Custom Attack Scenarios ATT&CK Alignment Report Compliance & Authorization